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(54) Authentication apparatus according to the challenge-response principle 



(57) In the first devices, MPU 53 generates random 
number R1 as challenge data. Random number R3 is 
generated by first encryption IC 54, and then combined 
with random number R1 , encrypted, and sent to second 
device 52 as encrypted text C1. When encrypted text 
C2 is similarly received from second device 52, first en- 
cryption IC 54 decrypts C2 and separates the decrypted 
result into first separated data RR2 and second sepa- 
rated data RR4. The first encryption IC 54 returns the 



first separated data to second device 52 as response 
data. MPU 53 compares the first separated data re- 
turned from second device 52 with random number R1 f 
and in the event of a match, authenticates second de- 
vice 52 as a legitimate device. The first encryption IC 54 
generates the time-varying data transfer key by combin- 
ing second separated data RR4 with random number 
R3, and transfers the digital copyrighted data to second 
device 52 by using the data transfer key. 
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Description 

. BACKGROUND OF THE INVENTION 

(1) Field of the Invention 

This invention pertains to an encryption device 
which may be installed in communication devices which 
carry out encrypted communication by sharing a secret 
key, and especially pertains to an encryption device 
which can be realized with a small-scale circuit. 

(2) Description of Prior Art 

It is often necessary to protect data transmitted over 
communication lines from being illegally copied or al- 
tered by intercepting the line of communication. 

For example, the data of copyrighted material such, 
as a movie is often digitalized, compressed and digitally 
recorded onloan optical disc. This electronic data is re-, 
tueved by an optical disc playback device which is ex- 
panded with a data expansion device and played back 
by an audio/video playback device. 

If the optical disc playback device and the data ex- 
pansion device were separated into different devices 
which transmit data to one another, and this transmitted 
data were recorded by a data recording device and cop- 
ied by a digital data copy device without the author's 
consent, then the movie's copyrighted; material would 
be unlawfully copied to the effect of copyright infringe-, 
ment. The illegal copying of data through interception of 
the line of communication needs to be averted. Although 
for the most part a device's circuits and parts' specifica- 
tions are not made known, often the electronic charac- 
teristics and signal protocols for the communication of 
data are, so that the illegal copying of data along the line 
of communication and the subsequent altering of that 
data becomes a serious problem. 

A variety of techniques are well-known^or eliminat- - 
ing this kind of unlawful act to protect the security of 
communications. • 

The most typical of these employ entity authentica- 
tion mechanisms. Basically this a system where the 
sender of data authenticates the legitimacy of the re- 
ceiver, and transmits data only when the receiver's le- 
gitimacy is confirmed. This keeps digital copyrighted 
material from being received by unauthorized devices. 

In this case the entity which, like a receiver, certifies 
. its own legitimacy is called the proven The entity which 
confirms the other entity's legitimacy is called the verifi- 
er. The question here is not so much, whether authenti- 
cation is successful between thespecified devices that 
. .carry out optical disc recording and playback, but is 
whether the devices conform to standards established 
by the optical disc- related device, industry As a conse- 
quence, the word 'legitimate" is defined here as "con- 
forming to established standards." 



Prior Arts #1 

The unilateral authentication method, which makes 
use of encryption technology recorded in the interna- 
5 tjonal standard ISO/IEC9798-2 is the first example of a 
prior art. 

This authentication method is based on the prover 
proving to the verifier that it is in possession of the secret 
data known as the authentication key, without letting the 
10 key itself be known. Thus the verifier first selects random 
data and "throws" it to the prover. This action is called 
a challenge, and the thrown data is called challenge da- 
ta. 

L The prover responds by encrypting the challenge 

•is data using the authentication key and the encryption 
-converter it possesses. Then, it returns the encrypted 
data to the verifier. This action is called a response, and 
* the data is called response data. 

The verifier, which. receives the response data, pos- 
20 sesses the same authentication key and a decryption 
converter; which is an inverse converter for the encryp- 
tion converter as those of the prover, so that the verifier 
now decrypts the response data received from the prov- 
er using the inverse converter. If .the decrypted result 
25 matches the challenge data, the verifier judges the prov- 
er to be in possession of the authentication key, and au- 
, thenticates the legitimacy of the prover. Unilateral au- 
thentication means that one side proves its legitimacy 
t .to the other. 

30 The encryption converter T referred to here is a 
mapping of a collection of plaintext to a collection of en- 
crypted text based on the key data S. Here, the relation 

3S TINV(S,T(S,X))=X 

- is established between plaintext X and the inverse con- 

- . verted TINV, which maps a collection of encrypted text 
- to plaintext in accordance with key data S. This means 

40 that after being converted and inversely converted plain- 
text X returns to its original state. The inverse of the en- 
cryption converter is called the decryption converter. In 
order to function as an encryption converter it must be 
impossible to obtain plaintext X from encrypted text T 

<*$ . (S,X) when key S in not known. Also, the encryption con- 
verter is written as E (S, ), while the decryption converter 
is written as D(S, ). 

Fig. 1 shows an example of the authentication 
method recorded in the above Standards. 

so .. An illustration of digital copyrighted material mj be- 
ing transferred from the first device 11 to the second de- 
vice 12 is shown in Fig. 1. Here first device 11 is con- 
firming the legitimacy of second device 12. 

Below is a description of the conventional unilateral 

ss authentication method following the numbered steps 
shown in the diagram. 

- (1) The first device 11 generates random number 
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R1. This is then transmitted to second device 12 
through the line of communication as challenge da- 
ta. 

(2) When second device 1 2 receives this random 
number, the secret authentication key S loaded in- 
side device 12 is used to encrypt this random 
number. The result, C1, is then transmitted along 
the line of communication to first device 11 as. re- 
sponse data. 

(3) When first device 11 receives this response da- 
ta, authentication key S is used as a decryption key 
to decrypt C1. 

(4) First device 11 compares the decryption result 
RR1 with the random number R1 temporarily stored 
inside first device 11. If they match, first device 11 
considers second device 12 to be in possession of 
the'same authentication key S, and confirms the en- 
tity in communication as a legitimate device. How- 

' - ever if they do not" match, then : it judges the entity ■.' 
■ in communication an unauthorized device and ler- 
'miriates the process 

(5) After first device 11 authenticates second device ■ 
* 12 as legitimate, it transmits the ; copyrighted mate- 
rial along the line of communication. 

' In the event that a third party which did not possess- 
the authentication key S was connected to the line of 
communication in the place of the second device 12, 
then this tertiary device would not be able to construct " 
data of the correct value C1 in step (2), and as a con- 
sequence the results of decryption RR1 in step (3) would 
not match. Because of this" first device ii would not 
transfer the copyrighted material to the third party in step 
(4) * , : 

However, if the same challenge data and response' 
data is always used between first device 11 and second 
^device 12, then it would be possible for a tertiary device 
with this knowledge to impersonate the second device 
' 12. In order to avoid this first device 11 sends different 
challenge' data (random numbers) each and every time. 

Prior Arts #2 

Incidentally, the example of prior art #1 J would still 
permit forged data stored in a hard disc device to be 
unlawfully transmitted to second device 12 in posses- 
sion of the legitimate authentication key. To fix this prob- 
lem, it becomes necessary for second device 1 2 to con- 
firm the legitimacy of first device 11 at the same time 
first device 11 confirms the legitimacy of second device 
1'2. 

It is also possible to intercept the data from the line 
of communication while it was being transmitted to sec- 
ond device 12, extract the data from the line of commu*' 
nication : and store it into for example, a hard disc unit. 
Of course this requires a knowledge of the electronic 
specifications of the signals on the line of communica- 
tion and the data protocol, but since this information is 



not normally kept secret, there is a real danger of the 

copyrighted material being extracted. Because of this, 

authentication is not enough, to that it is also necessary 

to encrypt transmitted communications by distributing a 
5 randomly generated key to both devices and using that 

key to encrypt the copyrighted material. Hereinafter, the 
' secret key for encrypting data of the transmitted copy : 

righted material is referred to as the data transfer key. 
Below is an explanation of Prior Art #2. which ex- 
10 pands on the unilateral authentication of Prior Art #1, 

and which conducts mutual authentication, distribution 

of the data transfer key, and encrypted communication. 
Fig. 2 shows an example of a device which realizes 

mutual authentication, 
is ' • Fig. 2 shows the case when the digital copyrighted 

material mj is transmitted from first device 21 to second 

device 22 after being encrypted 
■ - Below is a description of the conventional mutual 

authentication method and the operations for distribut- 
-20 jng the data transfer key following the numbered steps 

shown in the diagram. 

(1) First device 21 generates random number R1. 
This represents the first challenge data. Then this 
2S . is sent through the line of communication to second 
1 - device 22. 
1 (2) Second device 22 generates random number 
' ■ R2, and creates combined data R1 IIR2 by combin- 
j * - ing R2 with the random number R1 received from 
so ■ first device 21. Here the symbol II means that the 
data from both numbers are lined up by place. Sec- 
: '' ■ ond device 22 encrypts this combined data Rt IIR2 
■ ■'' with the authentication key S as the encryption key, 

and transmits the encrypted text C1 to first device 
35 ; v .- .21 ' 

1 " ' (3) First device 21 decrypts the encrypted text re- 
" " ceived from second device 22 using the authentica- 
tion key S as the decryption key. The separated data 
1 in the' upper position is called RR1, and the sepa- 
40 ■ fattecf data in the lower position is called RR2. 

(4) First device 21 compares the separated data 
" ' ; RRTwlth the random number R1 temporarily stored 
* -'' • iri first device 21, If these match then the entity in 
*' - . communication is judged to be a legitimate device 
45 ■-• • in-possession of the authentication key S. If these 
" do riot match; the authentication process is termi- 
nated. 

■ - (5) First device 21 generates random number K and 
sets this as the data transfer key K. First device 21 
so . . combines obtained separated data RR2 with the da- 
ta 1 transfer key K, encrypts this combined data 

* RR2IIK with the authentication key S to make en- 

• • crypt ed text C2; and transmits this to second device 
■• • 22. ■ - • 

55 s -^(6) Second device 22 uses authentication key S to 
1 decrypit the encrypted text C2 received from first de- 
vice 21 . The separated data in the upper position is 
RRR2, and the separated data in the lower position 
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is KK. 

(7) Second device 22 compares the separated data 
RRR2 with the random number KK temporarily 
stored in first device 21. If these match then the 
communication entity is judged to be a legitimate 
device in possession of the authentication key S. If 
these do not match, the authentication process is 
terminated. Meanwhile, after decryption the sepa- 
rated data KK is set as data transfer key KK. 
(B) First device 21 encrypts the digital copyrighted 
materialising the data transfer key K, and transmits : 
this to second device 22 along the line of commu- 
nication. 

(9) Second device 22 decrypts this using the data 
transfer key KK, and acquires the digital copyright- 
ed material. 

If the first device 21 is in possession of the legitimate • 
authentication key, and the second device 22 is not in 
possession of Ihe legitimate authentication key, first de- • 
vice 21 judges the entity in communication to be lacking 
the legitimate authentication key in step (4), and can ter- . 
minate the process. Likewise, if second device 22 was 
in possession of the legitimate authentication key while 
first device 21 was not, then second device 22 judges 
the entity in communication to be lacking the legitimate 
authentication key in step (7), and ban terminate the 
process. By doing so the digital copyrighted material can ; 
be prevented from passing both to an unauthenticated' 
device from an authenticated one,' and from an unau- 
thenticated device to an authenticated one; 

Also, the digital copyrighted material could be elec- • 
tronically copied and stored in an electronic storage de- : 
vice once the digital copyrighted material is transmitted . 
through the line of communication in step (8) after the 
authentication process is complete when both first de- 
vice 21 and second device 22- are in possession of the 
legitimate authentication key. However, even if this were 
to happen, the digital copyrighted information is encrypt- 
ed, thus becoming meaningless digital data. The origin 
nal digital copyrighted material is, therefore, effectively ", 
protected. ^ / 

Consequently, in order for the mutual authentication 
method using encryption techniques to be successful, it 
becomes a necessary condition, that the authentication 
key loaded into first device 21 and second device 22 will 
not be easily understood by someone trying to steal the 
data. It is also necessary for the random number gen- 
erator for the challenge data and the generator for data 
transfer key K to be inaccessible and unchangeable. . 

The most effective method of securing the confident 
tiality of these structural components-is the implemen- 
tation of the components which perform authentication, 
distribution of the data transfer key, and encrypted com* 
munication in an integrated circuit. Normally*, extensive 
effort is required to analyze an IC,- so authentication 
keys and the like will not be deciphered very easily. 

In order to make the first device 21 of prior art #2 



into an IC, such an IC (hereafter referred to as encryp- 
tion IC) must be fitted with the following parts: 

■ "A random number generator to generate random 
s number R1 

■ "A decryption unit to decrypt the encrypted text C1 

■ "A part to store authentication key S 

■ "A comparison unit to compare random number R1 
with separated RR1 

10 ■ "A random number generator for generating data 
transfer key K 

■ °An encryption part for combining separated data 
RR2 with the data transfer key K and encrypting 
them 

ts ■ d A part to store data transfer key K 

■ "An encryption part to encrypt the digital copyright- 
ed material using data transfer key K. 

Second device 22 also requires a similar amount of 
20 hardware as:listed,above. 

By making the prior authentication method possible 
through ICS, numerous functions, such as two random 
number generators and two converters (decryption unit 
and encryption unit), become necessary. Therefore, 
25 ithcro is the problem of the circuit scale increasing, even- 
. tually leading to an increase in the cost of the device. 
Also, in prior art #2 the data transfer key K for en- 
crypting data is generated by first device 21 1 but due to 
*the same reason that mutual authentication is neces- 
30 sary, it is preferable for the key to reflect values that have 
been generated by both devices. 
:? As stated above, the ideal method for protecting the 
. line between devices is one which seals the functions 
of authentication and their secret information in an IC. 
35 However, to do this using the prior method of equipping 
■ * a single PC with all the parts for mutual authentication, 
the distribution of the data transfer key, and the encryp- 
tion makes the size of the IC very large, -and leads to an 
; increase in cost. - • 

40 „ / . . 

SUMMARY OF THE INVENTION 

The primary object of the present invention is to pro- 
vide an encryption device possessing the minimum 
45 functions necessary for ensuring the security of commu- 
■ nication between devices using only a small encryption 
IC. 

The encryption IC possesses the following func- 
tions:. , 

(1 ) Secure storage of the authentication key. Read- 
ing and .writing of the key from external access is 
not possible. 

• (2) Secure distribution of the data transfer key 
55 Reading and writing of the key from external access 
is not-possible. 

(3) By avoiding equipping the encryption IC with 
parts not pertaining to the security of the communi- 
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• cation system, the size of. the encryption IC can be dom number generation unit for generating a second 

reduced. . . random number to be used, as challenge data to be 

transmitted to the device in communication; and an au- 
The second object of this invention is to provide a . . thentication unit for judging whether response data re- 
highly-secure encrypted communication system and is s turned from the device in communication in response to 
ideal for realization using a small encryption IC. . the challenge data and the second random number 
The primary object can be achieved with an encryp- •.. match, and in case of a match; for authenticating the 
tion apparatus for devices which distribute a data trans- device, in communication as a legitimate device, and 
f er key and use the data transfer key.to perform encrypt- wherein the data transfer key unit generates the data 
ed communication, the encryption apparatus including . to transfer key in the event of authentication, 
a first random number qeneration unit for generating a With the above construction, generation of the le- 
first random number for distributing the data transfer . gitimate data transfer key occurs at the same time as 
key; a first random number storage unit for storing the success of mutual authentication between the devices, 
generated first random number; a first transmission unit - . thereby improving the security of secret communication, 
for transmitting the generated first random number to a 7 5 ' . Here, the second random number generation unit 
device in communication, wherein the device in commu- and the authentication unit may be implemented by ctr- 
nication is another device in current encrypted commu- cuits provided outside the IC. a 
nication: a data transfer key generation unit for gener- • - . With the above construction, parts which have no 
ating the data transfer key through use of the first ran-, . direct relation to the security of the communication sys- 
dom number stored by the Nrsl random number R1 stor- 20 iem, namely processors which are not directly related 
age unit, the data transfer key. being time-varying; a • . : to the generation of the data transfer key are set outside 
transfer data encryption unit for encrypting the transfer - the encryption IC, thereby reducing the size of the en- 
data to be transferred in the "encrypted communication ' cryption IC. * 
through use of the data transfer key, wherein the first Here, the encryption apparatus may further jnclude 
random number generation unit, . thcMirst random 2s, 9 decryption unit for decrypting encrypted combined da- 
number storage unit, the" data transfer key generation < . ta sent from.the.device in communication; a separation 
unit, and the transfer data encryption unit are imple- , ■ • unit for separating the decrypted combined data into a 
mented through a single IC, and wherein the first ran- . . • ■ first separated data which corresponds to response data 
dom number storage unit stores the first random number k- and a remaining second separated data; and second 
in an areaMamper-proof from outside the IC. ,30 transmission unit for transmitting the first separated data 
The first random number directly related to the data to the device in communication, wherein the first encryp- 
transfer key is kept in the encryption IC which is exter-. . . : tion unit combines first random number with the second 
nally' inaccessible. Therefore the time-sensitive data random number, and, encrypts the resulting combined 
transfer key is securely distributed to each device, and . data, and the data transfer key generation unit gener- 
communications are encrypted. The encryption IC pos- ; . ;?3S ates the data transfer key by combining the first random 
sesses only the minimum functions necessary for en- , number with the second separated data, and the de- 
suring security of communication between devices, and , cryption unit and ;the separation unit are implemented 
so can be realized using a small-sized circuit. , . ' through circuits inside the IC. 

Here, the encryption apparatus may further include-. : • The-, encryption apparatus, may further- include a 
a first encryption unit for encrypting the first random, 40 , second transmission unit for transmitting the second 
number, wherein the first encryption unit may be realr i . ; , random number to the device in communication as chal- 
ized by circuits inside the IC, and wherein the first trans- lenge data; a decryption unit for decrypting encrypted 
mission unit may transmit the firstTandom number, en- . ;i.v combined data sent from the device in communication; 
crypted by the first encryption unit, to the device in com- . / ^and^ a reparation unit for separating decrypted com- 
munication. :- 4S bined data into a first separated data corresponding to 
with the above construction, it becomes impossible the response data, and a remaining second separated 
for a third party to learn the first random number which data, wherein the authentication unit performs the 
is directly related to the generation of the data transfer /judgement and authentication with the first separated 
key. Therefore the secrecy of the data transfer key is data as the response data sent back from the device in 
maintained, so that even if the encryption algorithm and so communicati.on... wherein the first encryption unit corn- 
its inverse conversion algorithm are known, the security .bined the challenge data sent from the device in com- 
of encrypted cbmmunication can still be maintained. : munication with the first random number, and encrypts 
Here, the encryption apparatus, wherein each of the . . • the resulting combined data, and wherein the data trans- 
devices which conduct encrypted communication au- fer key generator generates the data transfer key by 
thenticates the other device as a legitimate device by. ss .combining the first random number with the second sep- 
performing communication based on a challenge/re-- - * iarated data, and the decryption unit and the separation 
sponse-type authentication protocol, wherein each en- - unit.are implemented by circuits inside the IC. 
cryption apparatus may further include a second ran- : - • ■ With the above construction, an encryption appara- 
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tus which has the minimum functions necessary for pro- 
tection of the security of communication between devic- 
es and which is' equipped with a small-size encryption 
IC, can be realized. 

Here, encryption algorithm used by the transfer da- 5 
ta encrypLion unit may be identical to an algorithm used 
by at least one of the -first encryption unit and the de- 
cryption unit. 

With the above construction, the data transfer en- 
cryption unit, the first encryption unit and the decryption 10 
unit can be combined into a single converter, so circuit 
size of the encryption IG can be reduced. 

Here, the encryption algorithm of the transfer data 
encryption unit may differ from and be simpler than an 
algorithm used by either of the encryption and the de- '5 
cryption unit. *• - 

With the above construction, even when encryption . 
has to be repeatedly performed due to the large data 
size of the transfer data, the problem of dramatic in- . 
creases in the data transfer lime can be avoided. ' ■ 2° 

Here, the transfer data encryption unit may divide 
the transfer data into blocks and encrypt each block us- 
ing the part corresponding to the data transfer key 

With the above construction, the present encryption 
apparatus can be used oven for the encrypted eommu- 2S -, 
nication of large amounts of transfer data: * 

Here, the transfer data encryption unit may conduct • 
encryption using exclusive OR on the blocks and the da- 
ta transfer key " 

With the above construction, a transfer data encryp- 30 
tion unit can be realized through simple logic circuits. 

Here, the encryption performed by the. first encryp- . 
tion unit and the encryption performed by the second . 
encryption unit may use trie same conversion algorithm. 

• With the above construction, the first encryption unit 35 
and the decryption unit can be combined into one con- 
verter, so the circuit size of the encryption IC can be re- 
duced. 

Here, the first encryption -unit- and the decryption ^ 
unit may decrypt and encrypt using key data stored in 40 
advance inside the IC, wherein one part of the key data 
is stored in a mask ROM- area inside the IC, and the : • 
other part is stored in a programmable-ROM area inside. *■ 
the IC. 

With the above construction^ the problems that : oc- * 45 
cur when the authentication key is made up of only mask • 
ROM, and the problems that occur when the authenti- 
cation key is made up of only programmable ROM can* * 
be avoided. ^ fc * 

Here, each of the devices which conductencrypted .i so ■ 
communication may authenticate the- other device by v 
performing communication based on a challenge/re-, 
sponse-type authentication protocol, wherein each en- 
cryption apparatus may further include a decryption unit • 
* for decrypting encrypted combined data sent from the 55. 
device in communication in response to the challenge 
data; a separation unit for separating decrypted com- 
bined data into a first separated data Wh ion-corresponds 



•to the response data and a remaining second separated 
data an authentication unit which judges whether or not 
the first random number matches the first separated da- 
ta, and in the event of a match, authenticates the device 
in communication; a second encryption unit for encrypt- 
ing the second separated data in the event of authenti- 
cation; and a second transmission unit which transmits 
the encrypted second separated data to the device in 
communication as response data, wherein the data 
transfer key generation unit generates the data transfer 
key by combining the first random number and the sec- 
ond separated data, wherein the decryption unit, the 
separation unit; and the second encryption unit are im- 
plemented through circuits inside the IC. 

. . With the above construction, only one random 
number is generated. Since this random number is used 
both for the authentication key and for the generation of 
the data transfer key, the size of the circuits for genera- 
tion of random numbers in the encryption apparatus are 

.reduced. * . - 

Furthermore, since random number generation for 
authentication and comparison processes are conduct- 
ed inside the encryption IC, the. level of security of en- 
cryption communications is heightened. 
. i The above second object can be achieved by a 
communication system made up of. a transmitter and a 
receiver which conduct distribution of a data transfer key 
and encrypted communication using the data transfer 
key, the transmitter and receiver, being devices in com- 
munication which authenticate each other through com- 
munication based on an authentication -protocol of chal- 
lenge/response.type, wherein the transmitterand the re- 
ceiver each include a first random number generation 
unit for generating a first random number to be.used as 
challenge data; a second random number generation 

- unit for generating a second random number to be used 

. as the data transfer key; a combination unit for combin- 
ing the first random number wiLh the second random 

. number; an encryption unit for encrypting the combined 
data; a first transmission unitJor transmitting the en- 
crypted combined data to the device in communication; 
a first :receiving Unit for receiving the encrypted com- 
bined data sent from the first transmission .unit; a de- 
cryption unit for decrypting the recejved combined data; 
a separation unit for separating the decrypted combined 
data into a first separated data which corresponds to the 
response data, and a remaining second separated data 
to be used for the data transfer key; a second transmis- 
sion unit for transmitting the first separated data to the 
device in communication as response data, a second 
receiving unit for receiving the first separated data re- 
turned from the second transmission unit of the device 

. in communication; a comparison unit which compares 
the received first separated data with the first random 
number, and in the event of a match, authenticates the 
device in communication as a legitimate device; a data 
transfer key .generation unit for generating the data 
transfer. key by combining the second random. number 
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with the second separated data; and an encrypted com- 
munication unit tor conducting encrypted communica- 
tion with the device in communication by using the gen- 
erated data transfer key when authentication has been 
achieved. $ 

This object can also be achieved by a communica- 
tion system made up of a transmitter and a receiver 
which conduct distribution of a data transfer key and en- 
crypted communication using the data transfer key, the 
transmitter and receiver, being devices in communica- -to 
tion which mutually authenticate through communica- 
tion based on an authentication protocol of challenge/ 
response type, wherein the transmitter and the receiver • 
each include a first random number generation unit for r . 
generating a first random number to be used as chat- 
lenge data; a first transmission unit for transmitting the 
first random number to the device in communication; a * 
first receiving unit for receiving the first randomnumber 
sent from' the firsL transmission unit; of the device in 
communication; a second random number generation 20 
unit for generating a second random umber to be used x. ■ ■ 
for the data transfer key; a combination unit for combin- . • 
ing the received first random number with the second 
random number; ah encryption unit for encrypting the .. . 
combined data; a second transmission unit for transmit- _2$* 
ting the encrypted combined data to the device in com- 
munication; a second receiving. unit for receivingithe en- r 
crypted combined data sent from the second.transmis- 
sion unit of the device in question; a decryption^unit for 
decrypting the received combined data; a -separation 30 , 
unit for separating the decrypted combined data into a -d . 
first separated data which corresponds to the/response v . . 
data and a second, separated data to be used for the 
data transfer key; a data transfer key generation unit for ' 
generating the data transfer key by combining the sec- -35, 
ond random number with the second separated data; v 
and an encrypted communication unit for conducting en- . ; 
crypted communication with the device in communica- 
tion by using the generated data transfer key when au- 

* thentication has been achieved;; - ..-.*■■ ; - #0, 

The above object can further be achieved by a com- .- :_c 
munication System made' up of a transmitter 'and a re~:r* o 
ceiver which conduct distribution'of.a data transfer key^ciL i 
and* encrypted communication. using the data transfer 
key, the transmitter and receiver, being devices in com- 
munication which authenticate each other through com- 

" munication based on an authentication protocol of chal- 
lenge/response type, wherein the transmitter includes a 
first random number generation unit for generating a first 
random number; a first encryption unit for encrypting the. .. so m 
first random number; and a- first transmission unit for 
transmitting the encrypted first random number to the 
receiver, wherein the .receiver includes a first receiving - • 
unit for receiving the ehc rypLeckrandom number; a first . 
decryption unit for decrypting the received first random- $5 
number; a second random number generator for gener- 
ating a second random number; a first combination unit 
for generating combined data by combining the first ran- . . 



dom number with the second random number; a second 
encryption unit for encryption the combined data; and a 
second transmission unit for transmitting the encrypted 
combined data to the transmitter, wherein the transmit- 
ter further includes a second receiving unit for receiving 
the encrypted combined data; a second decryption unit 
for decrypting the received combined data; a separation 
unit for separating the decrypted combined data into a 
first separated data which corresponds to the first ran- 
dom number and,a second separated data which corre- 
sponds to the second random number; a first compari- 
son unit which compares the first random number with 
the first separated data, and in the event of a match, 
authenticates the receiver as a legitimate device; a third 
encryption, unit for encrypting the second separated da- 
ta in the event of authentication; and a first data transfer 
key generation unit for generating the data transfer key 
by combining the first random number generated by the 
first random number generation unit and second sepa- 
rated data obtained, by the separation .unit, wherein the 
receiving unit further; includes a third receiving unit for 
receiving the encrypted, second separated data; a third 
decryption unit for decrypting the received second sep- 
arated data; a second comparison unit which compares 
the decrypted second separated data with the second 
random number, and in the event of a match, authorizes 
otha -transmitter as a legitimate device; and 
a second data transfer key generation unit for generat- 
ing the data transfer key by combining the first random 
^number, obtained by the first decryption unit with the sec- 
ond random number generated by the second random 
number generation unit, . ■ . ■ 
wherein the transmitter further includes a fourth encryp- 
tion unit for encrypting transfer data using the data trans- 
fer key generated by the first data transfer key genera- 
tion. unit; and a fourth transmission unit for transmitting 
the encrypted transfer data to the receiver, and wherein 
the receiver also includes a fourth receiving unit to re- 
■ ceive the, encrypted transfer data from the transmitter; 
oand a:fourth decryption unit for decrypting the encrypted 
-transfer data- using the data transfer key generated by 

- the secondr.data transfer key generation unit. 

Therabove is ideal for realizing an encryption com- 
munication system, which makes use of a small-size en- 
cryption IC. This is because generation of thedata trans- 
. fer key occurs when the transmitter and the receiver mu- 
tually authenticate, random numbers directly related to 
the generation of the dala transfer key not are sent or 
received, and the two random numbers directly related 
• tojhe generation of. the data transfer key are provided 
.by the:transmitter and the receiver, respectively. 

-BRIEF. DESCRIPTION OF THE DRAWINGS - : 

. : «,;J3iese and other, objects, advantages, and features 

- oUheiinvention will become apparent from the following 
1 description thereof taken in conjunction with the accom- 
panying drawings which illustrate a specific em bodi- 
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ment of the invention. In the Drawings: 

Fig. 1 is a diagram showing the processing se- 
quence of unilateral authentication in Prior Art #1; " 
Fig. 2 is a diagram showing the processing se- 
• quence of mutual authentication in Prior Art #2; 
Fig. 3 is a diagram showing the processing se- 
quence of an encryption apparatus pertaining to 
embodiment 1 of this invention; 
Fig. 4 is a block diagram showing the hardware con-, 
figuration of first encryption IC 54 shown in Fig. 3; 
Fig/ 5 is a diagram showing the processing se- 
quence of an encryption apparatus pertaining to 
embodiment 2 of this invention; * 
Fig. 6 is a diagram showing* the processing se- 
quence of an encryption apparatus pertaining to 
embodiment 3 of this invention; 
Fig. 7 ' is a diagram showing the processing se 1 
quence of an encryption apparatus pertaining to 
embodiment 4 of Ihis invention; 
Fig. 8 is a block diagram showing the hardware con- 
figuration of first encryption IC 94 shown in Fig. 7; 
Fig 9 is a diagram showing a" specific example of 
the application of the encryption apparatus pertain-' 
ing to this invention in a communication system; 
Fig. 1 0 is a block diagram showing the configuration 
of the optical disc drive apparatus 110 shown in Fig. ; 
9;' • ; 

Fig 11 is a diagram showing the outline of the circuit 
board mounted inside the optical disc drive appara- 
tus 110; and 

Fig. 1 2 is a block diagram showing the configuration 
of the image playback apparatus 111 shown in Fig: 

'9. 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Embodiment 1 ■• 

Fig. 3 is a diagram showing the processing se-' 
quence for the first embodiment whereby^a first and sec- 
ond device which are equipped with the encryption ak 
gbrithm if the present invention carry out-mutual authen- 
tication, distribution of the data transler key, and en- 
crypted communication. - 

The transmission of digital copyrighted material mj 
from first device 51 to second device 52 is shown in Fig. 
3. However, only the encryption apparatuses equipped 
in devices 51 and 52 are shown. The structural elements 
not in direct relation to the encryption apparatus (namely; 
the transmitter- receiver and various parts which proc- 
ess the digital copyrighted material) have been omitted. 

The encryption apparatus pertaining to this inven- 
tion which is equipped in first device 51 can be roughly 
divided into MPU' 53 and first encryption TC 54. 

MPU 53 is constructed of ROM for maintaining the 
control program built into th encryption device, a gen- 



: - - ^eral microprocessor for executing the control program, 
»and RAM. MPU 53 carries out processing not directly 

- ■ . related to the distribution of the data transfer key (steps 

(1 ) , (7) in the diagram). 

- s- •. - The first encryption IC 54 is a single-chip semicon- 

: ductor IC, and carries out processing directly related to 
- 1 the distribution of the data .transfer key (steps (3), (5), 
(9), and (11 ) in the diagram). 

The encryption apparatus pertaining to this inven- 
io tion which is equipped in second device 52 can also be 
. - roughly divided into MPU 55 and second encryption IC 
56. 

MPU 55 is constructed of ROM for maintaining the 
• control program built into the encryption device, a gen- 
l.s. eral microprocessor for executing the control program, 
■ and RAM. MPU 55 carries out processing not directly 
related to the distribution of the data transfer key (steps 

(2) , (8) in the diagram). - ■ * 

. - ■ . The first encryption IC 56 is a single-chip semicon- 
. 20 ductor IC, and carries out processing directly related lo 
the distribution of the data transfer key (steps ,(4), (6), 
*' . (1.0), and (12) in the diagram). - 

It should be noted that this embodiment uses the 64 
bit encryption algorithm E and its inverse conversion al- 
25 gorithm D, which arc based on the Data Encryption 
Standard (DES). The conversion which uses encryption 
. : algorithm E is hereafter referred to as "encryption", while 
: . the conversion using inverse conversion algorithm D is 
referred to as "decryption", Also, first encryption IC 54 
■30 is equipped only with encryption algorithm E. while sec- 
-.. ond encryption IC 56 is equipped with only inverse con- 
t » version algorithm D. This is both for reducing the size of 
" - encryption ICs 54 and 56, and for security, and is based 
on principles which are described with reference to the 
35 * "Check Application" of Japanese Laid-Open Patent Ap- 
: plication #7-261241 /inter-device communication pro- 
teetion apparatus". designed -by the present inventors. 
\ . In concrete terms, encryption algorithm E .employs an 
valgorithm. with properties of substitution: Here substitu- 
~ 40 . tion is defined as the conditions whereby "plaintext re- 
i- ' turns to its original state whenever the encrypted text is 

decrypted or the decrypted text is encrypted." 
: • ^ .The following is an explanation of the operations of 
the encryption apparatus in embodiment 1 with refer- 
45 ence to the steps in Fig. 3. , 

. (1 ) MPU 53 inside first device 51 generates random 
number R1 (32-bit), stores it and hands it to first encryp- 
tion IC 54. . 

(2) As in step (1), MPU 55 inside second device 52 
so generates random number R2(32-bit), stores it and 

hands it to second .encryption IC 56. 

(3) First> encryption IC 54 generates random 
.number R3 (32-bit) : and stores it in an externally inac- 
cessible-area. It then combines, random number R1 gen- 

"55 erated by MPU 53 with random number R3 and per- 
forms encryption according to function E. 

Here, the symbol I L stands for the 64-bit number 
made from a combination of two random numbers lined 
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up by place (with random number R1 as the upper 32 
bits, and random number R2 as the lower 32 bits). Also, 
the encryption makes: use of the secret authentication 
key S which is retained commonly by first encryption IC 
54 and second encryption IC 56 beforehand. First en- • 
cryption IC 54 transmits the encryption result CI to sec- 
ond device 52 through the transmitter inside first device 
51 (not shown in the diagram). 

(4) As in step 3, second encryption IC 56 generates 
random number R4 (32 -bit), and stores it in an externally: 
inaccessible area. The random number R2 generated 
by the previous MPU and the previous random number ■ 
R4 are combined and decrypted with inverse converter 
algorithm D. Authentication key S is used in the decryp- 
tion. Second encryption IC 56 transmits the decryption . 
result C2 (64-bit) to first device 51 throughthe transmitr ; 
ter inside second device 52 (not shown in the diagram). 

(5) First encryption IC 54 uses function E.to encrypt- * 
decrypted 'text C2, received from second device 52.. 
Then the obtained 64 bits are separated into separated 
data RR2 (upper 32 bits) and separated data RR4 (lower i . 
32 bits). Furthermore the separated data RR2.is trans- 
mitted to second device 52Mhrough the transmitter in., 
first device-51 , while separated data RR4 is not sent out,- 
but is instead loaded into an externally inaccessible area 
in encryption IC 54. • ■ - 

As long as first encryption I C 54 and second encryp- i- 
tioh IC 56 are both legitimate, and both are in. posses- 
sion of the same authentication key S, then separated * 
data'RR2 wilt match the random number R2 generated . 
by MPU 55, while separated data RR4 will match ran- 
dom number Restored inside second encryption IC 56... ■ 

• (6)- As in step (6), encrypted text C1 ; received from 
first encryption IC 54, is decrypted by second encryption 
IC 56 through use of inverse conversion algorithm D. 
Then the obtained 64 bits ate separated into separated 
data RR1 (upper 32 bits) and separated data RR3 (lower 
32 bits). Furthermore the- separated data RR1 is trans- 
mitted to first device 51 through the transmitter in sec- 
ond device 52, while separated data RR3 is not sent out, 
but is instead stored in anexternally. inaccessible area ~. 
in second encryption IC 56. - - 

' -As long as first encryption I C 54ahd second encrypt 
tion IC 56 are both legitimate, . and both are in possess 
sion of the same authentication- key S, separated data - 
RR1 will match the random number R1 , while separated 
data RR3 will match random number R3. ' 

(7) MPU 53 of first device 51 compares random 
number R1 stored in step (1 ) with separated data RR1 
received from second device52. If the event of a match,, 
second device 52 and the second encryption IC 56 in- 
side are both' authenticated as legitimate devices. 

(8) As in stop (7), MPU 55 of second device 52 com-- 1 
pares random number R2 stored in step (2) .with sepa- 
rated data RR2 received from second device 52 If the 
event of a match, first device 51 and the first encryption 
IC 54 inside are both authenticated as legitimate devic- 
es. • " - - ■ * 



(g) Data transfer key K is prepared by combining 
the random number R3 stored in step (3) with separated 
data RR4 in first encryption IC 54. The data transfer key 
K has upper 32 bits as random number R3, and lower 
5 32 bits as separated data RR4. Because this data trans- 
- fer key K is a combination of two random numbers, it is 
• time-variable; that is, newly and randomly generated, 
i ' (10) As in step (9), data transfer key K is generated 
by combining the separated data RR3 with random data 
ip R4 stored in- step (4) in second encryption IC 56. The 
data transfer key K has upper 32 bjts as separated data 
RR3, and lower 32- bits as random number R4 stored in 
. . :step (4). This data transfer key is time-variable as well. 
Furthermore, as long as mutual authentication in 
steps (7) and (£) succeeds, then random number R3 
generated in step (3) will match the separated data RR3 
obtained in step (6). Likewise, random number R4 gen- 
. . . erated in step (4) will match separated data RR4 ob- 
- - tained in step (5). Consequently the data transfer keys 
20 k generated separately in steps (9) and ( 1 0) will match. 

(11) The blocked digital copyrighted material trans- 
5t * mitted from first device 51 mj (64-bit) is encrypted by the 

first encryption IC 54 inside first device 51 using the data 
• . transfer key obtained in step (9). The process, of trans- 
25 ■ .mining the obtained encrypted text Cj to. second device 
. 52 is repeated until all the digital copyrighted material 
■ .Jo.be transferred has been sent. , 

(12) In response to step (11), second encryption IC 
r 56 inside second device 52 receives the encrypted dig- 

30 ^ |tal copyrighted material Cj (64-bit) sent from first device 
51, decrypts Cj using data transfer key K acquired in 
step (10), and sends the obtained digital copyrighted 
material mmj to MPU 55. This decryption is repeated as 
long as the digital copyrighted material Cj continues to 

35 be transmitted from first device 51 . 

In this way; mutual authentication, distribution of da- 
ta transfer key K, and the encrypted communication of 
data is performed between first device 51 and second 
device 52 using the encryption apparatus of ernbodi- 

40 ment 1 . 

As is apparent from the above explanation, the en- 
cryptiop apparatus of .embodiment 1 has the following 
^.characteristics..^.. 

-.v.-. . :.jThe .first characteristic is the secure protection of 
45 the, data transfer key K inside the encryption IC. To be 
more specific, with the encryption apparatus equipped 
in first device 51, the two pieces of data used directly 
for the generation^ data transfer key K, namely, ran- 
dom number. R3 and separated data RR4 meet the fol- 
so < lowing requirements. 



The random.number R3 is generated inside first en- 
cryption. IC 54, and -is maintained in an externally 
unreadable area without being outputted. 



55- 



OThe; separated data RR4 is generated (separate 
generation) inside first encryption IC 54, and is 
maintained -in an externally unreadable area without 
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being outputted. 

The security of the encrypted communication be- 
tween first device 51 and second device 52 is thus guar- 
anteed even though encryption algorithm E and inverse 
conversion algorithm D are employed as known algo- 
rithms, because the data transfer key K is maintained 
inside first encryption IC 54. 

The second characteristic is the restriction of the cir- 
cuits inside encryption IC 54 to the necessary minimum. 
More specifically, with the encryption apparatus 
equipped in first device 51 and second device 52, the 
following processes are realized by the circuits outside 
of first encryption circuit 54, namely, MPU53. 

• Generation of random number R1 - - 

• Comparison of random number Rl to separated da- 
ta RR1. 

Put simply, care has been taken thai the circuits of 
! the encryption IC 54 do not exceed" the minimum nec- 
essary size. These two processes pertain to the authen- 
tication of the other device and are not directly related 
to the generation of data'transfer key K. Therefore, even 
if unauthorized access were attempted by exploiting the 
fact that these processes are realized outside of the IC, 
it would still be. impossible to access first device 51 and 
perform any potentially lucrative illegal operations. Fur- 
ther, response data RR2 corresponding to challenge da- 
ta C2 from first device 51 is constructed inside the en- 
cryption IC. ^ 

Fig. 4 is a block diagram showing the hardware con- 
struction of first encryption. IC 54. 

Second encryption IC 56 can also be realized with 
hardware of similar scale. > 

External l/F unit 61 is the only input/output port for 

• external access to the internal circuits of the first encryp- 
tion IC. • • 

* Random number generator 60 generates the 32-bit 
random number R3. - : ■ 

Random number storage unit 62 isvthe memory cir- 
; cuit which keeps the random number- R3 generated by 
the random number generator 60. - 

Combination unit 63 combines the 32-bit data R1 
' inputted through the external l/F unit 61 as the upper 32 
bits and the random number R3- stored: in random 
number storage unit 62 as the lower 32 bits: 

Authentication key S storage unit 64 is the memory 
circuit which maintains authentication key S which is re- 
ceived beforehand. *- 

Switch 64 is a 3 input/1 output multiplexer, while: 
♦switch 66 is a 2 input/ 1 output multiplexer. Both are 64 
bits wide. ' 

•E function 67 is an encryption circuit based on the 
- encryption algorithm E. 1 - - * - 

Switch 68 is a 1 input/3 outputmultiplexer 64 bits 
wide. ... 

Separation-unit 69*separates the 64-bit data output- 



led* rom switch 68 into upper 32 -bit data RR2 and lower 
• 32-bit data RR4. 

• Data transfer key K generator 59 generates data 
transfer key K by combining random number R3 stored 
. 5 in random number storage unit 62 as the upper 32 bits, 
. ■ ■ <• and the "separated data RR4 separated in separation 
: Unit 69 as the lower 32 bits. 

Data transfer key K storage unit 70 is a memory cir- 
cuit which maintains data transfer key K generated by 
'io data transfer key k generator 59. 

Next, Fig. 4 shows how each construction element 
operates in each step shown in Fig. 3. 

In Fig. 3, random number generator 60 generates 
random number R3 and stores it in random number stor- 
es age unit 62. Random number R1, inputted through ex- 
: . ternal l/F unit 61 , is combined with random number R3 
. •„ in combination unit 63 and sentto E function 67 through 

■ i switch 65: E function 67 receives authentication key S 

through switch 66>f rom authentication key S storage unit 
20 -64, uses S lo encrypt combined data R1 IIR3 oulpulled 

from combination unit 63, and then outputs the result C1 
. to second device 52 through -switch 68 and external l/F 
. . unit 61. 

In Fig. 3 steps (5) and (9) the decrypted text C2 in- 
. 2S. putted through the external l/F unit 61 is inputted to E 
• function by way of switch 65. E function 67 receives au- 
thentication key S from authentication key S storage unit 
r 64, uses S to encrypt decrypted text C2, and then sends 
C2 to separation unit 69 through switch 68. Separation 
.30 .unit 69 separates this into separated data RR2 and sep- 
arated data RR4. Separated data RR2 is outputted 
through extemalJ/F unit 61. while separated data RR4 
is sent to data authentication key K generator 59. Data 
-. authentication key K generator; 59 stores data transfer 
35 - key K in data transfer key K storage unit 70 after gener- 
„ '•. ation through combining random number R3 stored in 
random number storage unit 62, and separated data 
RR4 sent from separation unit 69. 

In Fig. 3 step (11), the E function 67 uses data trans- 
40 fer key K stored in data transfer key K storage unit 70 

■ - to encrypt digital copyrighted material inputted through 

,~ external l/F unit 61 and switch 65. The result Cj is out- 

- . putted to second device 52 through switch 68 and ex- 
ternal l/F unit 61. . 

45 ; Here; while specific bit length and data composition 
v of the random numbers and encrypted text are shown 

- 1 in embodiment 1, the invention is not limited to these. 

For example, in the above step (5), the 32-bit random 
numbers R1 and R2 are combined to make 64 bits, 
■ so-- which is then inputted to.64-bit encryption function E, to 
give 64-:bit encrypted text^ C1. Here, each, random 
number can be set at 64 bits, for example, so that by 
' performing encryption twice according to the encryption 
algorithm, 128 encrypted text CI can be generated. 
ss However, in this situation it is necessary that parts con- 
cerned with random number R1 and parts concerned 
. with random number R2 not be easily detached from en- 
crypted text C1 . One way to do this is encryption with a 
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chain like the CBC mode. For more about CBCimode, 
consult pages 193-197 of Applied Cryptography, Sec- 
ond Edition, by Bruce Schneider, John Wiley & Sons, 
Inc., 1996. 

In embodiment 1 the size of the hardware has been 
reduced by equipping first encryption IC:54 with only the 
encryption function E, and second encryption IC 56 with 
only its inverse function D. As pointed out above, how- 
ever, this itself is not the essence ot Lhis invention. In 
other words, these items should. be decided based on 
the permitted circuit size and algorithm type for encryp- 
tion ICs 54 and 56. For example, each could be in pos- 
session of both the encryption algorithm E and the in- . 
verse conversion algorithm D so that boLh could use 
encryption algorithm E to encrypt random numbers and 
use inverse conversion a Igor ithrrt D to decrypt data sent 
from the other device/ This is because the present in- * 
vention is in fact characterized by having arleast the 
construction directly related to the generation of the data 
Transfer key K providedin :a single JC to maintain the . 
suctecy of communication . . . • - . 

• Also, in embodiment 1 the random .number R1 . 
could, for example, be generated inside encryption IC .> 
54 iri step (1). By doing so, the possibility 6f first encryp- i 
hon IG -54 being used as' a decryption devicorcan be; 
avoided, and- a -safer encryption apparatus *:can be,.; 
achieved. In other words, in embodiments the randoml : 
number R1 is generated outside first encryption IC 54, 
which outputs encrypted text C1 based on this random 1 
- number R1 The encrypted text C1 is influenced by ran- 
■ dom number R3 generated inside first encryption IC 54, 
but if random number R3 is not of sufficiently random 
value, then first encryption IC 54 could be used-as a de- 
cryption-device for unauthorized purposes. Therefore, 
. by generating random number R1 inside first encryption 
IC'54, the above chances for attack are avoided, and-,: 
the encryption apparatus becomes more secure. 
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Embodiment 2 ■ ^ 

Embodiment 1 is shown net as an alternate exam- ■? 
pie of steps of embodiment -1 sfiown in Fig- 3. Hardware/? 
is of similar scale to that of embodiment 1 shown in Fig. 
4. In embodiment 1 , the response data was transmitted' 
encrypted while the challenge data was not, but in em- . 
" bodiment 2 the challenge data is transmitted encrypted 
while the response data is not. The explanation below 
focuses on the differences with embodiment 1 . 

Fig. 5 shows the processing sequence in embodi- 
ment 2 for 1 mutual authentication, distribution of data 
" transfer key K, and' encrypted communication of data 
between first device'7Tand second~device 72, which-r. 
arc equipped with encryption apparatus pertaining to 
this invention. ' r '" ■ *. ■ ! 

Fig.* 5' shows digital copyrighted material mj being 
transmitted from first device 71 to second device 72. - 

MPU 73, first encryption IC 74, MPU 75 and second 
encryption IC 76 each correspond to MPU53; first en- r 
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cryption IC 54, MPU 55 and second encryption IC 56 in 
embodiment 1 . Except for the difference in processing 
procedures, hardware configuration is identical to em- 
bodiment 1 . 

Below is an explanation of the operations of the en- 
cryption apparatus of embodiment 2 following the num- 
bered steps shown in Fjg, 5. 

(1) MPU 73 inside first device 71 generates random 
number R1 (32 -bit),. stores it and sends it to second en- 
cryption IC 72 through the transmitter of first device 71 
(not shown in the figure). In second device 72 this is sent 
to secpnd encryption IC 76. 

(2) As in step (1), MPU 75 inside second device 72 
generates random, number R2(32-bit), stores it and 
transmits it to first device 71 through the transmitter of 
second device 72. First device71 hands this to first en- 
cryption IC 74. , 

(3) First encryption IC 74 generates random 
number R3 (32-bit) : and stores it in an externally inac- 
cessible area . It. then combines the random numbers re- 
ceived second device 72, R1 and R2, and performs en- 
cryption according to function E using the secret authen- 
tication key S which is retained commonly by first en- 
cryption IC 54 and second-encryption IC 76 beforehand. 
First encryption IC 74 transmits the resulting encryption 
text.CI (64-bit) to second device 72 

(4) As.in step 3, second encryption IC 76 generates 
: random number R4 (64-bit), and stores it in an externally 
inaccessible area. Random number R1 is received from 
i .first device 71 , combined with random number R4, and 

the result is decrypted with inverse conversion algorithm 
D using authentication key S. Second encryption IC 76 
transmits the resulting decryption text C2 (64-bit) to first 
device 71. 

(5) First encryption IC 74 uses E function to encrypt 
decrypted text G2 received from second encryption IC 
76 with authentication key t S.. Of the 64-bit result, the 
upper 32 bits become separated data RRt, while the 

.. low.en 32 fcits become separated data RR4. Then, sep- 
arated data RR1 is sent to MPU 73 jn first device 71, 
. while :sepa rated data RR4 is not sent outside, but is in- 
T-stead sliored:: in an area.in first encryption IC 74 exter- 
nally inaccessible. .* 

ic'htere-if both encryption ICs are legitimate and both 
arejn possession of the same authentication key S, then 
the separated data RR1 will be the same as the random 
number R1 generated by MPU 73 inside first device 71 , 
and separated data RR4 will be the same as random 
numbenfl4 generated by second encryption IC 76. 

(6) As in step (5), second encryption IC 76 uses in- 
verse con version algorithm to decrypt resulting encrypt- 
ed^text Q1 received,from first encryption IC 74,with au- 
thentication key S. Of the resulting 64-bit data, the upper 
' 32: bits become separated data,RR2, while the lower 32 
bits become separated data RR3. Then, separated data 
RRSiis-sent.tp MPU 75 in second device 72, while sep- 
arated data RR3 is not sent outside, but is instead stored 
in an area inaccessible from outside second encryption 
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IC76. * * 

Here, if both encryption ICs are legitimate and both 
are in possession of the same authentication key S. then 
the separated data RR2 will be the same as the random 
number R1 generated by MPU 75 inside second device s 
72, and separated data RR3 will be the same as random • 
number R3 generated by first encryption IC 74. 

• (7) MPU 73 inside first device 71 compares the pre- 
viously stored Rl with separated data RRl received , 
from first encryption IC 74.. If they match, then second 
device 72 and its second encryption IC 76 are authen- 
ticated as legitimate devices. 

(9) As in step (7), MPU 75 inside second device 72 
compares the previously stored R2 with separated data 
RR2 received from second encryption IC 76. If they, 
match, then first device 71 and its first encryption IC 74 
are authenticated as legitimate devices. 

(9) Data transfer key K is constructed inside first en- % 
cryption IC 74 using random number R3 and separated 
data RR4. The combination of both of these is shown in 
the drawing as data transfer key K (64-bit). 

(10) As in step (9), Data transfer key-K is construct- 
ed inside second encryption IC 76 using random 
number R4 and separated data RR3 as in first encryp- 
tion IC 74. The combination of both of these is shown in . 
the drawing as data transfer key K (64-bit). 

(11 ) The digital copyrighted material mj; is divided 
into blocks and sent from MPU 73, is encrypted within 
first encryption IC 74 of first device 71 using the data 
transfer key K obtained in step (9). The process of trans- 
mitting the resulting encrypted text Cj is repeated until 
all of the digital copyrighted material that is to be trans- 
mitted has been sent. 

(12) Corresponding to step (11), the digital copy- 
righted material Cj, having been encrypted and sent 
from first device 71 , is decrypted within second encryp- 
tion IC 76 of second device 72 using the data transfer ; 
key K obtained in step (10). The obtained, digital copy- 
righted material mmj is sent to MPU 75. This decryption 
continues as long as digital copyrighted material text Cj 
is received. 

In this way mutual authentication, distribution of da-, 
ta transfer key K, and encrypted communication are per- 
formed by first device 71 and second device- 72 using 
the encryption apparatus of embodiment 2 in the same- 
manner as embodiment 1 . 

Here, the hardware construction of this embodi- 
ment is identical to the encryption apparatus of and em- 
bodiment 1 , with only the processing procedures, name- 
ly, connection of each hardware's constructional tele- 
ments and order of execution being different. Therefore, 
the characteristics of this embodiment'siencryption ap- 
paratus and alternate examples are the same as those 
of embodiment 1 . 

(Embodiments) * . /; ^- r 

The encryption apparatus of above embodiments 1 



and 2 have the following points in common. 

(1 ) Two random numbers are generated by the two 
devices. One is used solely for authentication, while 
the other is used solely for data transfer key K. 

(2) The random number used for data transfer key 
K is never sent outside the encryption IC is its orig- 
inal state, while the random number used for au- 
thentication is made known outside the encryption 

• IC. . : 

The encryption apparatus of embodiment 3, on the 
other hand, generates only one random number, and us- 
es that for the generation of both authentication and the 
data transfer key K. This is for reducing the burden of 
random number generation inside the encryption IC 
compared to embodiments 1 and 2. 

Also, random number generation and comparative 
processing for authentication are conducted inside the 
encryption IC In other words, unlike embodiments 1 and 
2, authentication processing is also conducted within 
the circuits of the encryption IC. in addition to the gen- 
eration of data transfer key K. As stated above, this is 
to deal with the unauthorized use of the encryption IC 
as a method of decrypting the encrypted text, and so 
.better protects the security of the encrypted communi- 
cation. 

• Fig. 6 shows the processing sequence of embodi- 
ment 3 which conducts mutual authentication, distribu- 
tion of data transfer key K, and encrypted communica- 
tion of data between first device 71 and second device 
72, which are equipped with encryption apparatus per- 
taining to this invention. 

Fig. 6 shows digital copyrighted material mj being 
transmitted from first device B1 to second device 82. 

And, as in embodiments 1 and 2, the encryption ap- 
paratus pertaining to this invention is also mostly com- 
prised of MPUs 83 and 85, and encryption ICs 84 and 
86. However,. MPUs.83 and 85 only perform the function 
of sending digital copyrighted material mj to encryption 
. ICs 84 and 86, so the encryption apparatus pertaining 
■ to this invention is practically only made up of ICs 84 
and 86. 

First encryption IC 84 and second encryption IC 86 
are both single-chip semiconductor ICs, as in embodi- 
ments 1 and 2. 

The following is an explanation of the operations of 
the encryption apparatus in embodimenl 3 following the 
steps in Fig. 6. 

(1 ) Random number R1 is generated inside first en- 
cryption IC 84 which .stores it, encrypts it with E 
function and transmits it to second device 82 
through the transmitter of first device 81 (not 
shown). The encryption makes use of the secret au- 
thentication key S also provided inside the second 
device 82. Second device 82 then sends the re- 
ceived encrypted text C1 to second encrypLion IC 



75 



.20 



25* 



30 



35 



40 



45 . 



SO 



12 



BNSDOCID: <EP 0809379A2_I_> 



23 



' l=p 0 809' 379 A2 



24 



86: 

(2) Second encryption IC 86 decrypts the received 
encrypted text C1 with inverse conversion algorithm 
D, and acquires decrypted text RR1 . If both first en- 
cryption IC 84 and second encryption- IC 86 are le- 
gitimate devices, then decrypted text RR1 should 
match random number R1 . 

(3) Random number R2 is generated inside second 
encryption IC 86 which stores it, combines it with 
decrypted text RR1 , and decrypts the result with in- 
verse conversion algorithm D. Authentication key S 
is used in the decryption. Second encryption IC 86 
then transmits decrypted text C2 to first device 81 - 

•through the transmitter of second device 82 (not 
shown) First device 81 then gives this to first' en- 
cryption IC 84. ' ' ' • 

(4) First encryption IC 84- encrypt s : decrypted text 
C2 with E function, and divides the result into sep- 

' arated data RRR1 and separated data RR2. Fur- 
thermore, if the devices in communication are legil- ■= 
imate, then separated data RRR1 will match both 
decrypted text RR1 and random number Rl, while 
separated data RR2 will match random number R2. 

* (5) First encryption IC 84 compares random number 

* R1 previously stored, with separated' data RRR1. If 
they match then second encryption I C 86' and sec- 
ond device 82 which contains second encryption IC 

' 86 are authenticated as legitimate devices. 

(6) Separated data RR2 is then encrypted by first 
encryption IC using E function,' and is transmitted 
to second device 82. Second device 82 then gives - 
this encrypted text C3 to second encryption IC 86. 

(7) Encrypted text C3 is decrypted by second en- 
cryption I C 86 with inverse conversion algorithm D, • 
and decrypted text RRR2 is acquired. 

(8) Second encryption IC then compares random : 
number R2 stored in step (3) with the decrypted text - 
RRR2. If they match, then first encryption IG 84 and 
first device 81 which contains first encryption IC 84- 
are authenticated as legitimate device's. 

(9) ' First encryption IC 84 generates data transfer 
key K by combining random number Rl-and sepa- 
rated data RR2. 

(10) Second encryption IC 86 generates data trans- f 

* f er key K by combining decry pted 'text RR1 with ran- 
dom number R2. 

(11) First encryption IC 84 inside first device 81 en- 
' crypts digital copyrighted material mj (64-bit), which 

has been divided into blocks and received from 
MPU 83 using data transfer key K obtained in step 
(9). the process of transmitting obtained encrypted" 
text Cj to second device 82 is repeated until all of. 
the digital copyrighted material to be sent has been 
transmitted. 

(12) Corresponding to step (11),' second encryption 
IC 86 inside second device 82 receives encrypted 
digital copyrighted material Cj (64-bit) transmitted 
from first device 81 decrypts this with data transfer 
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key K acquired in step (10), and sends obtained dig- 
ital copyrighted material mmj to MPU 85, This de- 
cryption continues as long as digital copyrighted 
material Cj is received from first device 81 . 

•In this manner mutual authentication, distribution of 
data transfer key K, and encrypted communication of 
data are conducted by first device 81 and second device 
82 using the encryption apparatus of embodiment 3. 

Furthermore, a single random number is encrypted 
in steps (1), (2), (6), and (7), while a combination of two 
random numbers is encrypted in steps (3) and (4): When 
E function and inverse conversion algorithm D are used, 
all random numbers should be set to 32 bits, and the 
former group should be appended with a fixed 32-bit 
number padded onto the remaining 32 bits. For exam- 
ple, the lower 32 bits can be set to random, with the up- 
per 32 bits set as all zeros. Also, the combined 64 bits 
of the steps (3) and (4) into each function should be in- 
putted without amendment. 

Also, when the bit length of the random numbers is 
doubled into 64 bits, the former group of random num- 
bers should be inputted into the functions without 
amendment into the functions without amendment, 
while for the latter group of random numbers each func- 
tion should be performed twice for each random 
number, with linked encryption such as CBC mode. 

Unlike embodiments 1 and 2, the above embodi- 
ment 3 uses the same random number for authentica- 
tion and for distribuLion of the data transfer key Gener- 
ation of the random number for authentication and com- 
parison processing for authentication are also conduct- 
ed inside the encryption IC. Therefore, this is more se- 
cure against attacks which try to use encryption IC as a 
decryption device, since the random number in its orig- 
inal state never appears outside the encryption IC. As 
a result, a high level of security can be achieved even 
though the number of bits -for each random number is 
limited.. - : - <■>■ 

Embodiment 4 

■-• " Next is a description of the encryption apparatus 
pertaining to embodiment 4. 

: This apparatus is an embodiment of the present in- 
vention which realizes pursues compactness of the en- 
cryption IC, and- is different from the above embodi- 
ments 1-3 in the area of unilateral authentication, and 
making known the data transfer key. However, the en- 
cryption algorithm E and its inverse conversion algo- 

■ rithrfvD'are assumed secret. - 
' : Fig^ 7 shows the. processing sequence of digital 

:. copyrighted material mj being transferred from first de- 
vice 91 to second device 92. • 

Fig. 8 is a block diagram showing the hardware 
composition of first device 91 . 

(1 ) First, random number generator of first encryp- 
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tion IC generates random number R1 , which is used 
both as challenge data and as the data transfer key. 
R1 is then stored in random number storage unit 
102, and transmitted to second device 92 through 
external l/F unit 100. s 

(2) In response, second encryption IC 96 decrypts 

- the received random number R1 using authentica- . 
tion key S which is also distributed in first encryption 
IC 94. The obtained decrypted text C1 is then sent 

to first device 91. io 

(3) In first encryption IC 94, E function 106 encrypts 
decrypted text C1 , received through external l/F unit 
and switch 105, using the authenticatbn key S 
stored beforehand in authentication key S storage 
unit 103. The resulting data RR1 is sent to compar- JS. 
ison unit 1 08 by way of switch 1 07, where it is com- r . . 
pared to random number R1 stored in random 
number storage unit 102. • 

(4) If, as a result, there is a match, then second de- 
vice 92 can be authenticated as a legitimate device, 20 
so comparison unit 10B controls switch 104 so that 

. random number R1 stored in random number stor- 
age unit 102 is used as the data transfer key. 

(5) E function 106 encrypts digital copyrighted ma- 
terial mj : sent by way of external l/F. unit 100 and 25 
switch 105, using random number R1, sent by way 

of switch 104, and then sends this to second unit 92 .. 

- through switch 107 and l/F unit 100- 

(6) Second encryption circuit IC 96 inside' second • 
device 92 decrypts the digital copyrighted material 30 
cj sent from first device 91 using random number 

R1 received in step (2) as the data transfer key. The 
resulting digital copyrighted material mmj is sent to 
'MPU 95. 

35 

In this manner, authentication, distribution of the da- ' 
ta transfer key, and encrypted communication is real- 
ized in this embodiment through fewer steps and com- 
ponents than embodiments 1 -3. 

Furthermore, because random number R1, 6ent 40 
' from first device 91 to second device 92, is-used as the . . ; 
data transfer key as it is, the data transfer key could be y- - 
easily known to a third party. However, even .if a third 
party aware of the data transfer key attempted to decrypt -* 
and gain access to the digital copyrighted material Cj, 45 
the encryption algorithm E and the inverse conversion 
algorithm D is kept secret, as illustrated above, so such- 
an attempt would not succeed. 

Alternatively, if a third party, were todecipherthe en- 
• cryption algorithm by hacking the appropriate random so { 
number, only the random number generator -101 can . 
""store a new random number Rl into raftdom number 
storage unit 102, so such an attempt would also fail be- 
cause it is not possible to store a newly-generated ran- 
dom number R1 into random number storage unit 101 ss 
from outside first encryption IC 94. 1 " ' 

In this manner, if the encryption algorithm and the 
inverse conversion algorithm are made secret, then au- 



thentication, generation of the data transfer key, and en- 
cryption communication can be realized even with the 
compact encryption IC described in this embodiment. 

Furthermore, a favorable method for setting (stor- 
ing) authentication key S into the encryption IC in em- 
bodiments 1 -4 is listed below. 

Basically, this is a method in which a portion of au- 
thentication key S is set before the manufacture of en- 
cryption IC, and the remaining portion is inscribed after 
manufacture of the encryption IC. A portion of the au- 
thentication key-S storage, unit 64 is made up of mask 
ROM, in which a portion of the authentication key S is 
inscribed in advance, while the remaining portion is 
made up of programmable ROM. 

If the construction relied exclusively on mask ROM, 
.then it would be secure because the creation of the final 
encryption I C eliminates the possibility of human error, 
but there is also the drawback that it is easy to analyze 
the set value by analyzing the chip through reverse en- 
gineering. On the other hand, if the construction relied 
exclusively on programmable ROM, then although the 
analysis of the set value through reverse engineering of 
the chip is difficult, there are drawbacks such as poten- 
tial for human error during setting, and the possibility of 
improper access. The use of both technologies is to 
make up for each of their respective drawbacks. 

Below is another concrete example of the encryp- 
tion algorithms in the encrypted communication of em- 
bodiments 1 -4 , . 

The digital copyrighted material of the sender is di- 
vided into 64-bit blocks and an exclusive OR is taken for 
each bit with the data transfer key K (64-bit). In the same 
manner the, receiver takes exclusive OR between the 
received 64-bit encrypted text and the data transfer key 
K to restore the original blocks. 

Also, there is the method which each block of the 
- data-transfer key K in use is renewed with synchroniza- 
tion between the sender and receiver, instead of the da- 
ta transfer key K being fixed. There,- E function and al- 
gorithm D may be used for the updating. The encryption/ 
decryption within the block may be exclusive OR as stat- 
ed above. 

Embodiments 1-4 are explained using examples of 
•challenge/response authentication methods, but this in- 
vention is not. limited to such examples. This could be 
another type challenge/response authentication meth- 
od which generates random numbers on the authenti- 
calor's side, sends them as challenge data, and com- 
pares the response data sent from the prover to the ref- 
erence response data generated by the verifier. 

Technologies which securely .conduct authentica- 
tion and encrypted communication in small-sized cir- 
cuits are described in the embodiments 1-4, but it is ob- 
vious that there is a trade : off between the level of secu- 
rity and the size of the circuits necessary for such secu- 
rity. Therefore, if there is room in the MPU and leeway 
in the circuit size which can be contained inside the en- 
cryption IC, then the security of encrypted communica- 
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tion can be strengthened by adding a new conversion 
method which executes data conversion F () 1 • 

(1 ) One such method is to prevent challenge data's 
plaintext and response data's plaintext from flowing 
through the line of communication. 

For example, the processing sequence shown in 
Fig. -3, in which first device 51 authenticates second de- 
vice 52 (steps (1), (3), (6), and (7)) are changed to the 
following: 

In step (6) second encryption IC 56 does not send 
separated data RR1 to MPU 53, but instead performs 
fixed conversion F() on separated data RR1 , and sends 
the resulting data F (RR1 ) to MPU 53. 

In step (7) MPU 53 does not compare random 
number R1 with separated data RR1, but instead per- • 
forms the same conversion F () on random number R1 
as used in the said step (6)/ arid compares the resulting: 
data F (R1 ) with data F (RR1 ) sent from second encryp- 
tion IC 56. 

In doing this the encrypled lexl C1 and a pari of its ■ 
plaintext RR1 can be prevented from flowing through the 
line of communication, so security against known plain- 
text attacks can be strengthened. 
* (2) The other method'is to avoid using the challenge 
data in its original form as the data transfer key. 

For example, in step (5) shown in Fig. 7, first en- 
cryptioh IC 94 does not use random number R1 in its 
oriqinal form as the data transfer key, but instead per- 
forms a fixed conversion F() on random number R1 , and 
uses the resulting data F(R1.) as the data transfer key. : 

Likewise, in step (6) second encryption IC 96 does 
not use random number R1 in its original form as the 
data transfer key. but instead performs the same con- 
verter F() on random number Rt-as in step (5), and uses 
the resulting data F(R2) as the data transfer key. 

- By doing this the data transfer key F(R1) can be* ■ 
concealed, and the security of the encryption is 
strengthened. ' ~ 

- (3)The last method is to increase the complexity of 
the combination process. ' ' , 

For example; in step (9), the first encryption IC 54** 
docs not combine random number R3 with separated r: 
data RR4 simply by lining them up by column, but in 1 - n 
stead performs a fixed conversion F() on R3 and RR4,~ 
and uses the resulting data F(R3, RR4) as the data- 
transfer key.' ■ . ■ - , 

Likewise, in step 1 0 the second IC 56 does not com- 
bine random number R4 with separated data RR3 sim- 
ply by lining them up by column, but instead performs ■ 
the same' fixed : conversion F() on R4 and RR3 as used 
■ in step (9)^ and uses the resulting data F(R3, RR4) as 
" "the data transfer key/ '■ 

By doing this the procedure for generating the data 
transfer key becomes more complex, so the security of 
the "encrypted communication is strengthened. 



Specific Example of Suitable Application to a 
Communication System. 

In this manner the encryption apparatus of the 
s present invention is equipped with a small-size encryp- 
< tion IC, and possesses the least amount of f unction nec- 
essary for preserving the security of communication be- 
tween the devices. Therefore, this encryption apparatus 
is ideal for communication devices which require secret 
10 communication and small circuitry, such as portable tel- 
ephones and multimedia-related devices which handle 
;diqital copyrighted material. . . 

Fig. (9);shows a concrete example of suitable ap- 
• plication to a communication system of the encryption 
is* apparatus pertaining to this invention, and shows a play- 
: back system for digital copyrighted material, such as a 
movie. 

This system is made up of optical disc drive appa- 
ratus 110 which corresponds to the first device of the 
20 \ previous embodiments, image playback apparatus 111 
.* which cor responds to the second device, and SCSI ca- 
' ble 116, which connects these two. It is a system in 
which compressed image data read out from optical disc 
3. drive apparatus 110 is encrypted and sent to image play- 
25: back unit 111, where images arc played back. 

Fig. 10 is a block diagram showing the configuration 
of optical disc drive apparatus 110. ■ - 

Optical disc drive apparatus 1 1 0 is made up of MPU 
124 which controls the entire apparatus, SCSI controller 
30 "121 which is the communication interface with image 
- -playback apparatus 111, readout control unit 122 which 
controls optical head 125 and controls readout of image 
1 . data from optical disc 115. and encryption IC 123 which 
corresponds to the encryption IC in the first device in 
35 embodiments 1-4. After image playback unit 111 has 
' been authenticated as a legitimate device, the image 
data recorded on optical disc 115 is read out, encrypted 
in encryption IC 123, and sent to image playback unit 
111 through SCSI cable 116. 
40 - * . Fig: 11 is a diagram showing an.outltne of the circuit 
> : - : board mounted inside the optical disc drive apparatus 
viio^Encryption:IC -123 is an LSI formed from a single 
'» silicon board, and has the shape of a flat package mold- 
■v L ednn plastic. 

45 . Fig. 12 is a block diagram showing the configuration 

■ of image playback. apparatus 111 . 

v image playback apparatus 111 is made up of MPU 
131 which controls the.entire apparatus, SCSI controller 
. 130 which Js the communication interface with optical 
so disc drive apparatus 11 0, encryption IC 132 which cor- 

■ "responds tcthe second device of embodiments 1-4, 
' *. MPEG. decoder 133 which conducts expansion of the 

: .compressed data decrypted by encryption IC 132 : and 
AV'signal processor 134 which converts the expanded 
55 j image data'into an analog image signal and outputs this 
to CRT 112 arid speaker 114. 

Byapplying the encryption apparatus pertaining to 

■ • the present invention to this kind of image playback sys- 
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tern, the digital copyrighted material recorded onto disc - v 
115 is protected from improper copying. Thus the 
healthy development of the distribution market for mul- 
timedia-related products can be expected. 

- - s - 

Claims * « ■ 

1. An encryption apparatus for devices which distrib- 
ute a data transfer key and use the data transfer key io 
to perform encrypted communication, the encryp- 
tion apparatus comprising: 

first random number generation means for gen- - * 
erating first random number for distributing the - 1S " 4. 
data transfer key; • 
first random number storage means for storing • 
the generated first random number; 
first transmission means for transmitting the ' 
generated firsl random number to a device in 20 5. 
1 communication, 

wherein the device in communication is another 
device in current encrypted communication; 
data transfer key generation means for gener- 
ating the data transfer key through use of the 2S 
first random number stored by the first random - 
number R1 storage means,* the data transfer 
key being time-varying; < ' * *" " 

transfer data encryption means for encrypting^' 
the transfer data to be transferred in the en- 30 
crypted communication through use of the data * . 
transfer key. 

wherein the first random number generation 
means, the first random number storage 
means, the data transfer key generation ■ 35 
means, and the transfer data encryption means 
are implemented through a single IC, and - ' 

wherein the first random number storage 
• means stores the first random number in an ar- ■ ; , ' . 
ea tamper-proof from outside the IC. K ' 

' 2. The encryption apparatus of Claim 1 , further com- 
prising: *'••.-: * - . * . 

first encryption means for encrypting the first 
random number, wherein the first encryption means ■ V 4S e. 
is realized by circuits inside the IC, and wherein the 
first transmission means transmits the first random 
number, encrypted by the first encryption means, to 

the device in communication. 

• . - - - . ; . so 

3. The encryption apparatus of Claim 2, wherein each - • 7. 
of 'the devices which conduct encrypted communi-?"-" 
' cation authenticates the other device as a legitimate. ^ 
device by performing communication based on a 
challenge/response-type authentication protocol, ss 
wherein each encryption apparatus further com- 
* prises: ■ ' 8. 



second random number generation means for 
generating a second random number to be 
used as challenge data to be transmitted to the 
device in communication; and 
authentication means for judging whether re- 
sponse data returned from the device in com- 
munication in response to the challenge data 
and the second random number match, and in 
case of a match, .for authenticating the device 
in communication as a legitimate device, and 
wherein the data transfer key means generates 
the data transfer key in the event of authentica- 
tion. 

The encryption apparatus of Claim 3, wherein the 
second-random number generation means and the 
.authentication means are implemented by circuits 

• provided outside the IC 

The encryption apparatus of Claim: 4, further com- 
prising: 

a decryption means for decrypting encrypted 
combined data sent from the device in commu- 
nication; 

a separation means for separating the decrypt- 
ed combined data into a first separated data 
which- corresponds to response data and a re- 
maining second separated data; and 
second transmission means for transmitting the 
- first separated data to the device in communi- 
cation, 

wherein the first encryption means combines 
first random number with the second random 
~ number, and encrypts the resulting combined 
data, and 

the data transfer key generation means gener- 
ates the data transfer key by combining the first 
random number with the second separated da- 
ta; and 

the . decryption means and the separation 
means are implemented through circuits inside 
-the IC. . 

The encryption apparatus of Claim 5, wherein an 
encryption algorithm used by the transfer data en- 
cryption means is identical to an algorithm used by 
at least one of the first encryption means and the 
decryption means. 

The encryption apparatus of Claim 5, wherein the 
encryption algorithm of he transfer data encryption 

• .means differs from and is simpler than an algorithm 
used by either of the encryption and the decryption 
means. 

. The encryption apparatus of claim 7, wherein the 
transfer data encryption means divides the transfer 
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data into blocks and encryption each block using 
part corresponding to the data transfer key. 

9. The encryption apparatus of claim 8, wherein trans- 

• fer data encryption means conducts encryption us- 
ing exclusive OR on the blocks and data transfer 
key. 

10. The encryption apparatus of Claim 9, wherein the 
encryption performed by the first encryption means 
and the encryption performed by the second en- 
cryption means use the same conversion algorithm. 

11. The encryption apparatus of Claim 10, wherein the * 

• first encryption means .and-the decryption means 
decrypt and encrypt using key data stored in ad- 

. vance inside the IC; and, wherein one part of the 
key data is stored in a mask ROM area inside the 
IC, and the other part is stored in a programmable . 
ROM area- inside the IC- - • : . 

12. The encryption apparatus of Claim 4 further com- 
prising: - * - ■ ■ ' 

second transmission means for transmitting the 
second random number to; the device in com- 

* * munication as challenge data; ; 

decryption means for decrypting encrypted 
combined data sent from the device in commu- 
nication; and - . . 
. separation means • for separating decrypted 
combined data into a first separated data cor- 
.■ " " ■ ■ responding to the response data, and a remain- : 

- inp second separated data, 

wherein the authentication means performs the 
judgement and authentication with the first sep-, 
arated data as the response data sent back 

- from the device in communication, 

wherein the first encryption means combined . 
the challenge data sent from the device in com- 

* munication with the first random number, and 
encrypts the resulting combined data, and 
wherein the data transfer key generator gener- 
ates the data transfer key by combining the first r 
random number with the second separated da- < 
ta, and ■ * . 

"the decryption means and the separation - 
means are implemented by circuits inside the , 
IC. ■ - 

- 13. The encryption apparatus of Claim 12; wherein an 
' -encryption algorithm used by the transfer data en- 
cryption means is identical to an algorithm used by 
~ at least one of the first encryption means and the 
decryption means. 

14. The encryption apparatus of Claim 1 2, wherein the 
encryption algorithm of he transfer data encryption 



. - means differs from and is simpler than an algorithm 
, used by either of the encryption and the decryption 
. . - means. . ..• 

5 15. The encryption apparatus of claim 14, wherein the 
transfer data encryption means divides the transfer 
data into blocks and encryption each block using 
part corresponding to the data transfer key. 

10 16. : The. encryption apparatus of claim 15, wherein* 
transfer data encryption means conducts encryp- 
tion using exclusive OR on the bJocks and data 
transfer key 

i$: 17. The encryption apparatus ofdaim 16, wherein the 
encryption performed by the first encryption means 
and the encryption performed by the second en- 
cryption means use the same conversion algorithm. 

20 18. The encryption apparatus of Claim 17, wherein the 
first encryption means and the decryption means 
decrypt and encrypt using key data stored in ad- 
vance inside the IC, and, 

wherein one part of the key data is stored in 
-2S a mask ROM area, inside the tC, and the other part 
: is stored in a programmable ROM area inside the 

,..! IC. . , 

*. .19, The encryption apparatus of Claim 2, wherein each 
of the devices which conduct encrypted communi- 
cation authenticates the other device as a legitimate 
device by performing communication based on a 
challenge/respon.se-type authentication protocol, 
lt wherein each encryption apparatus further com- 
. 35 , . prises: 

decryption means for decrypting encrypted 
■ combined data sent from the device in commu- 
■r. ; ; <> : nicationjn response to the challenge data; 
40 * ; , separation means for separating decrypted 
combined data into a first separated data which 
* / corresponds to the response data and a re- 
maining second separated data; 
< r\- . , * . . . authentication means which judges whether or 
45 not the first random number matches the first 

separated data, and in the event of a match, 
. ; . > authenticates the device in communication as 

a legitimate device; 

second encryption means, for encrypting the 
50 second separated data in the event of authen- 

. .\ ;tication; and , - 

second transmission means which transmits 
the encrypted second separated data to the de- 
. - -* .c vice in communication as response data, 
55. , - no'-? -wherein the - data, transfer key generation 
- . .\r - .means generates the data transfer key by com- 
bining the first random number and the second 
separated data, 
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wherein the decryption means, the separation . : 
means, and the second encryption means are 
implemented through circuits inside the IC. 

20. The encryption apparatusof Ctaim 19, wherein an s 
encryption algorithm used by the transfer data en- - - 
cryption means is identical to an algorithm used by 
at least one of the first encryption means and sec- 
' ond encryption means and the decryption means. 

* 10 

21; The encryption apparatus of Claim 1 9, wherein the 
encryption algorithm of he transfer data encryption 
means differs from and is simpler than an algorithm 
used by either of the encryption and the decryption; 
means. is 

22. The encryption apparatus of claim 21 , wherein the 
transfer data encryption means divides the transfer. - 
data into'blocks and encryption each block using.- 
•parlcorrespondmg to the data transfer key. 20 

23. The encryption apparatus of Claim 22, wherein 

■ transfer data encryption means conducts encryp- . : 
tion using exclusive OR on the blocks and data 
transfer key. " 25, 

24. The encryption. apparatus of Claim 23, wherein the ■ -;. r . 
encryption performed by the first encryption means : -. ,.. ^ 
and second encryption means and the encryption 
performed by the second encryption means use the 30 
same conversion algorithm. ■ • • • 

25. The encryption apparatus of Claim 24, wherein the . s 
first encryption means and second encryption - 
means and the decryption means decrypt and en- 35- 
crypt using key data stored in advance inside the ' • . 
IC, and, 

wherein one part of the key data is stored in 
• a maskiROM area inside the IC, and the other part 
is stored in a programmable ROM area inside the 
IC. 

26. A communication system made up of a transmitter 
and a receiver which conduct distribution of a data 
transfer key and encrypted conrimunication using 
the data transfer key, the transmitter and receiver, 
being devices in communication which mutually au- 
thenticate each other through communication 
based on an authentication protocol of challenge/ 
response type, wherein the transmitter and the re- 

• . " "ceiver each comprise: * * 

first random number generation means for gen- 
erating a first random number to be used as 
challenge data; ;--<'.. 
second random number generation means for 
generating a second random number to be 
used as the data transferkey; 



40- 



45 



so 



combination means for, combining the first ran- 
dom number with the second random number; 
• encryption means for encrypting the combined 
data; 

first transmission means for transmitting the en- 
crypted combined data to the device in commu- 
nication; 

first receiving means for receiving the encrypt- 
ed combined data sent from the first transmis- 
sion means; 

decryption means for decrypting the received 
combined data; 

. separation means for separating the decrypted 
combined data into a first separated data which 
corresponds to the response data, and a re- 
. maining second separated data to be used for 
the. data transfer key; 

. , second transmission means for transmitting the 
first- separated , data to the device in communi- 
cation as response data, 
second receiving means for receiving the first 
separated data returned from the second trans- 
mission means of the device in communication; 
comparison means which compares the re- 
,cc iy cd first separated data with th c first random 
• ... number, and in the event of a match, authenti- 

■ cates the device in communication as a legiti- 
mate device; 

data transfer key generation means for gener- 
ating the data transfer key by combining the 
second random, n umber with the second sepa- 
rated data: and 

encrypted communication means for conduct- 
ing encrypted communication with the device 
in communication by using the generated data 
transfer key when authentication has been 
achieved,, 

A communication system made up of a transmitter 
and a receiver which conduct distribution of a data 
transfer key and encrypted communication using 
the data transfer key, the transmitter and receiver, 
being devices in communication which mutually au- 
thenticate each other through communication 
based on an authentication protocol of challenge/ 
response type, wherein the transmitter and the re- 
ceiver each comprise: 

first random number generation means for gen- 
erating a first random; number to be used as 
challenge data;- . 
first transmission -means for. transmitting Lhe 
first random number to the device in communi- 
cation; • 

first receiving means for receiving the first ran- 
- dom number sent .from the first transmission 

means of the device in communication; 
. second random number generation means for 
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generating a second random umber to be used 
' for the data transfer key; 

combination means for combining the received 
first random number with the second random 
number; 

• encryption means for encrypting the combined 
data; 

second transmission means for transmitting the 
encrypted combined data to the device in com- 
munication; 

second receiving means for receiving the en-' 
crypted combined data sent from the second 

= transmission means of the device in question; 

■ decryption means for decrypting the received- 
combined data; 1 

separation means for separating the decrypted 
combined data info : a first separated data which < 
corresponds toth-e response data and a second > 
separated data tb'be used fdr the data transfer ■ 
key; 

data'transfer key generation means for gener- 

- ating the data transfer key by combining the 
second random number with the second sepa- 
rated data; and 

"encrypted communication means for conduct- 

- ■ ing encrypted 'communication with the device 

in communication by using the generated data- 
transfer key when -authentication has been- 
achieved. 

A communication system made up of a transmitter 
and a receiver which conduct distribution of a data 
transfer key and encrypted communication using 
the data transfer key, the transmitter and receiver, 
being devices in communication which mutually au- 
thenticate' each other through communication 
based on an authentication protocol of challenge/ 
response type, wherein the transmitter comprises: < 

first random number generation means for gen-^ 
e rati rig a first random number; ; : 
first encryption means* lor encrypting the first 
random number; and ~" r : - 
first transmission mea'nsfortransmitting the en- • 
crypted first random number to the receiver, 

wherein the receiver comprises: 

first receiving means for receiving the encrypt- 
ed random number; J ; 
first decryption means for decrypting the re- 
ceived first random number; 
second random number generator for generat- ■ 
ing a second random number; 
first combination means for generating com- 
bined data by combining the first random" 
number with the second random number; 
second encryption" means for encryption the 
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. combined data; and 
second transmission means for transmitting the 
encrypted combined data to the transmitter, 

wherein the transmitter further comprises: 

; second receiving means for receiving the en- 
crypted combined data: 

second decryption means lor decrypting the re- 
ceived combined data; 

a separation means for separating the decrypt- 
ed combined data into a first separated data 
which corresponds to the first random number 
and a second separated data which corre- 
sponds to the second random number; 
first comparison means which compares the 
first random number with. the first separated da- 
tarand in the event of a match, authenticates 
the receiver as a legitimate device; 
third encryption means for encrypting the sec- 
ond separated data in the event of authentica- 
tion; and . 
first data transfer key generation means for 
generating the data transfer key by combining 
the first random number generated by the first 
random number generation means and second 
separated data obtained by the separation 
means, 

wherein the receiving means further compris- 



es: 



so . 



ss 



. third receiving means for receiving the encrypt- 

■ ed second separated data; 

■ third decryption means for decrypting the re- 
ceived. second separated data; 

second comparison means which compares 
: the.decrypted second separated data with the 
second random number, and in the event of a 
'match, authorizes the transmitter as a legiti- 
mate device; and 

second data transfer key generation means for 

generating the data transfer key by combining 
;i" the. .first: random number obtained by the first 
.. decryption means with the second random 

number generated by the second random 

number generation means, 

■. j wherein the transmitter further comprises: 

fourth encryption means for encrypting transfer 
data using the data transfer key generated by 
- ^the first data transfer key generation means; 
• and 

fourth transmission means for transmitting the 
* . encrypted transfer data to the receiver. 

and wherein the receiver also comprises: 
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fourth receiving means to receive the encrypted 
transfer data from the transmitter; and 
fourth decryption means for decrypting the en- 
crypted transfer data using the data transfer 
key generated by the second data transfer key 5 
generation means. 
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(57) In the first devices, MPU 53 generates random 
number R1 as challenge data. Random number R3 is 
generated by first encryption IC 54, and then combined 
with random number R1 , encrypted, and sent to second 
device 52 as encrypted text C1. When encrypted text 
C2 is similarly received from second device 52, first en- 
cryption IC 54 decrypts C2 and separates the decrypted 
result inlo first separated data RR2 and second sepa- 
rated data RR4. The first encryption IC 54 returns the 



first separated data to second device 52 as response 
data. MPU 53 compares the first separated data re- 
turned from second device 52 with random number R1 , 
and in the event of a match, authenticates second de- 
vice 52 as a legitimate device. The first encryption IC 54 
generates the time-varying data transfer key by combin- 
ing second separated data RR4 with random number 
R3, and transfers the digital copyrighted data to second 
device 52 by using the data transfer key 



CO 
< 

co 



\ 



00 



3. 

) 



Fig. 3 



-First Device - 



K51 52 \T 



— MPU v 53 /-First Encryption 

(l)Gencra6oa 
of Random 
Number RJ 



Rl (3)GencratH>n 
^"»t of Random 
Number R3 



(7)RR1=R1? 
Datamj 



0)RR2ltt(rE(S^2) 

(9)K=R3 1 RR4 
(ll)cpB(K^ij) 



CI C2 



RR2 RR1 



Second Device 5 

ftaoJEttiyptiMiC^ 56 t MPU— ^ 



(4)Generation 
of Random 
Number R4 
C2=TXSja|R4) 

(WllKR3=D(SjCl) 



(!0)K=RR3 I R4 



(12)mmj=D(lUj) 



R2 



(2)Geoeralioii 
of Random 
Number R2 



(8)RR2=R2 ? 



Datammj 



Printed by Jouve, 75001 PARIS (FR) 



,^c;lt> <EP 0809379A3_t_> 



V 



SFT?£09 379 A3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 97 30 3504 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



X 
A 



US 5 351 293 A (MICHENER JOHN R 
27 September 1994 (1994-09-27) 
* abstract^ * 



Citation of document with Indication, whore appropriate. 
of relevant passages 



ET AL) 



* column 2, line 31 - column 3y line 43 * 

* column 5, line 50 - column 6, line 35 * 

* claims 11-13 * 

* figures 1,2 * ' 

GB 2 279 541 A (NIPPON ELECTRIC CO) 
4 January 1995 (1995-01-04) 

* abstract * 

* page 5, line 10 - page 8, line 21 * 

* claim 1 * 

* figures 1-3 * 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION (IntO-B) 



1-4,19, 
26-28 
5,12,20, 
21 



H04L9/32 



1-4 



TECHNICAL FIELDS 
SEARCHED (tnt.CI 6) 



H04L 



The present search report has been drawn up for all darns 



THE HAGUE 



Doto of ocirplction o* the ac&roh 

25 August 2000 



Exeroinci 

Gautier, L 



CATEGORY OF CITED DOCUMENTS 

X : particularly relevant if taken alone 

Y : particularly reievanl If combined with another 

document of the same category 
A : techno logical background 
O : non-written disclosure 

H : imermedal? document * * 



1 : theory or princip'c undenytng the invention 
E : earlier patent document, but published on, or 

after me filing date 
D : documem cited n the application 
L : document cfced for other reasons 



& : member of tne same patent tarnly, corresponding 
document -~ . . 



BNSDOCiD: <EP 0B09379A3 1 > 



2 



EP 0 809 379 A3 



ANNEX TO THE EUROPEAN SEARCH REPORT 
ON EUROPEAN PATENT APPLICATION NO. 



EP 97 30 3504 



This annex lists the patent family members relating io the patent. documents cited in the above-mentioned European search report. 
The members are as contained in the European Patent Office EDP file on * : 

The European Patent Office is in no way liable for these particulars which are merely given for the purpose of information. t 

2b-Q8-2000 



Patent document 
cited in seaicfi lepra I 



Publication 
date 



Patent family 
member (s) 



Publication 
date 



US 5351293 



GB 2279541 



27-09-1994 
04-01-1995 



NONE 



JP 
JP 
us 



2531354 B 
7087564 A 
5642401 A 



04-09-1996 
31-03-1995 
24-06-1997 



i \ 



t ; :.' *;v.v. r.:"~ 1 * }*j 



& For mora details about this annex : see Official Journal of the European Patent Office. No. 12/82 - 



BNSDOCID: <EP 0809379A3_I_> 



f 



TWSPAGEBLAMKtus^) 



f 



X 



